Add policy for gcl and the gcl-generated binary for maxima #23
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| /usr/lib(64)?/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:gcl_exec_t,s0) | ||
| /usr/lib(64)?/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:gcl_exec_t,s0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,143 @@ | ||
| ## <summary>policy for gcl</summary> | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute a domain transition to run gcl. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`gcl_domtrans',` | ||
| gen_require(` | ||
| type gcl_t; | ||
| type gcl_exec_t; | ||
| ') | ||
|
|
||
| domtrans_pattern($1,gcl_exec_t,gcl_t) | ||
| ') | ||
|
|
||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Do not audit attempts to read, | ||
| ## gcl tmp files | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain to not audit. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`gcl_dontaudit_read_tmp_files',` | ||
| gen_require(` | ||
| type gcl_tmp_t; | ||
| ') | ||
|
|
||
| dontaudit $1 gcl_tmp_t:file read_file_perms; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Allow domain to read, gcl tmp files | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain to not audit. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`gcl_read_tmp_files',` | ||
| gen_require(` | ||
| type gcl_tmp_t; | ||
| ') | ||
|
|
||
| allow $1 gcl_tmp_t:file read_file_perms; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Allow domain to manage gcl tmp files | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain to not audit. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`gcl_manage_tmp',` | ||
| gen_require(` | ||
| type gcl_tmp_t; | ||
| ') | ||
|
|
||
| manage_dirs_pattern($1,gcl_tmp_t,gcl_tmp_t) | ||
| manage_files_pattern($1,gcl_tmp_t,gcl_tmp_t) | ||
| manage_lnk_files_pattern($1,gcl_tmp_t,gcl_tmp_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute gcl in the gcl domain, and | ||
| ## allow the specified role the gcl domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## The role to be allowed the gcl domain. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="terminal"> | ||
| ## <summary> | ||
| ## The type of the role's terminal. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`gcl_run',` | ||
| gen_require(` | ||
| type gcl_t; | ||
| ') | ||
|
|
||
| gcl_domtrans($1) | ||
| role $2 types gcl_t; | ||
| dontaudit gcl_t $3:chr_file rw_term_perms; | ||
| ') | ||
|
|
||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## All of the rules required to administrate | ||
| ## an gcl environment | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## The role to be allowed to manage the gcl domain. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="terminal"> | ||
| ## <summary> | ||
| ## The type of the user terminal. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <rolecap/> | ||
| # | ||
| interface(`gcl_admin',` | ||
| gen_require(` | ||
| type gcl_t; | ||
| ') | ||
|
|
||
| allow $1 gcl_t:process { ptrace signal_perms getattr }; | ||
| read_files_pattern($1, gcl_t, gcl_t) | ||
|
|
||
| gcl_manage_tmp($1) | ||
| ') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| policy_module(gcl,1.0.1) | ||
|
|
||
| ######################################## | ||
| # | ||
| # Declarations | ||
| # | ||
|
|
||
| type gcl_t; | ||
| type gcl_exec_t; | ||
| application_domain(gcl_t, gcl_exec_t) | ||
| role system_r types gcl_t; | ||
|
|
||
| ######################################## | ||
| # | ||
| # gcl local policy | ||
| # | ||
|
|
||
| ## internal communication is often done using fifo and unix sockets. | ||
| allow gcl_t self:fifo_file rw_file_perms; | ||
| allow gcl_t self:unix_stream_socket create_stream_socket_perms; | ||
|
|
||
| libs_use_ld_so(gcl_t) | ||
| libs_use_shared_libs(gcl_t) | ||
|
|
||
| miscfiles_read_localization(gcl_t) | ||
|
|
||
| ## The GCL memory management and executable dumping routines manipulate memory | ||
| ## in various (usually forbidden) ways. | ||
| allow gcl_t self:process { execmem execheap }; | ||
|
|
||
| optional_policy(` | ||
| unconfined_domain(gcl_t) | ||
| ') | ||
|
|
||
| optional_policy(` | ||
| gen_require(` | ||
|
There was a problem hiding this comment. This require is not needed if you move gcl_run(...) into unconfined SELinux module. |
||
| type unconfined_t; | ||
| type unconfined_devpts_t; | ||
| type unconfined_tty_device_t; | ||
| role unconfined_r; | ||
| ') | ||
|
|
||
| gcl_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) | ||
|
There was a problem hiding this comment. This should be part of unconfined SELinux module in fedora-selinux/selinux-policy repo. |
||
| allow gcl_t gcl_exec_t:file execmod; | ||
| ') | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're trying to confine gcl processes but using this interface you make gcl unconfined. Is there any reason for this?